Set Permissions for Shared Folders

Updated: July 21, 2010

Applies To: Windows 7, Windows Server 2008 R2

Share permissions apply to users who connect to a shared folder over the network. Share permissions do not affect users who log on locally, or log on using Remote Desktop.

To set permissions for users who log on locally or using Remote Desktop, set NTFS file permissions using the options on the Security tab instead of the Share Permissions tab. If both share permissions and file system permissions are set for a shared folder, the more restrictive permissions apply when connecting to the shared folder.

For example, to give Read access on a shared folder to users in your domain, on the Share Permissions tab, set permissions for the Everyone group to Full Control. On the Security tab, specify more restrictive access by setting the file permissions for the Domain Users group to Read access. The result is that a user who is a member of the Domain Users group has read-only access to the shared folder whether the user is connected through a network share, through Remote Desktop, or is logged on locally.

You can set file system level permissions (as opposed to shared folder permissions) at the command line by using the operating system tool iCacls.exe or Cacls.exe. The tools run only on an NTFS volume.

Note

To enable access-based enumeration on a shared folder, you must use Share and Storage Management. Access-based enumeration allows users to see only the files and folders in a shared folder to which they have permission to access. For more information, see https://go.microsoft.com/fwlink/?LinkId=141539.

Set permissions on shared folders

  • Using the Windows interface

  • Using a command line

To set permissions on a shared folder by using the Windows interface

  1. Open Computer Management.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. In the console tree, click System Tools, click Shared Folders, and then click Shares.

  4. In the details pane, right-click the shared folder, and then click Properties.

  5. On the Share Permissions tab, set the permissions you want:

    • To assign permissions to a shared folder to a user or group, click Add. In the Select Users, Computers, or Groups dialog box, find or type the user or group name, and then click OK.

    • To revoke access to the shared folder, click Remove.

    • To set individual permissions for the user or group, in Permissions for group or user, select Allow or Deny.

  6. To set file and folder permissions that apply to users who log on locally or using Remote Desktop Services, click the Security tab and set the appropriate permissions.

To specify file permissions for a user by using a command line

  1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. To set individual permissions for a user or group on a file or folder located on an NTFS volume, type:

    cacls /G <user:permission>
    

    For example, to specify Write permissions for a user with the user name Monica on a file named 002.jpg, type:

    cacls 002.jpg /G Monica:w
    
  4. To revoke access to the shared folder, type:

    cacls /R <user>
    

    For example, to revoke access to the shared folder for a user with user name Monica, type:

    Cacls /R Monica
    
Value Description

cacls

Displays or modifies access control lists (ACL) of files.

/R

Revokes the specified user's access rights

/G

Grants access rights to the specified user

<user>

The user or group whose access rights are being set.

<permission>

The permission being granted to the user. This can be one of the following:

  • N (None)

  • W (Write)

  • C (Change)

  • F (Full control)

Additional references

Command-line syntax notation